Facebook secretly paid users $20 a month to use VPN spying app

Now that Apple knows what Facebook did, the iOS version of the Facebook Research VPN app will be yanked. But the Android version will continue.

Current Job Listings

Facebook has been “secretly” paying $20 a month to some users ages 13 to 35 to install and use a VPN app that requires installing a root certificate and thereby handing over every bit of data from their smartphones – even collecting encrypted data from apps and secure browsing sessions.

The Facebook Research VPN app, according to TechCrunch, is similar to Facebook’s Onavo Protect app, which Apple objected to for privacy reasons and banned last year. It has the same features as Onavo. In fact, Will Strafach, the security expert who analyzed the Facebook Research app for TechCrunch, tweeted, “They didn't even bother to change the function names, the selector names, or even the ‘ONV’ class prefix. it's literally all just Onavo code with a different UI.”

He told TechCrunch:

If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.

The Facebook Research app has been around since 2016 but has been referred to as “Project Atlas” since the middle of 2018. It was being distributed by three app beta testing services: BetaBound, uTest, and Applause. Users weren’t always clued in that the app was related to Facebook until they started to install it. Apple users did not download the app from Apple, but from a Facebook URL; they were told to install an Enterprise Developer Certificate, which basically handed over root access to their phone.

Facebook pulls iOS version of Facebook Research VPN app

Facebook denied that it violated Apple’s terms, but after TechCrunch ran the story, Facebook said it would shut down the iOS version of the app. The Android version will not be shut down. Facebook claims users agreed to hand over the power of all their data by using the app and are compensated for it. Others argue that many of the users have no real clue about the powerful data collection they agreed to.

Just last week, Facebook CEO Mark Zuckerberg’s op-ed, “The Facts about Facebook,” was published in the paywalled Wall Street Journal. It contained the same tired and trite excuses. Regarding advertising, he claimed people prefer “relevant ads,” that Facebook doesn’t “sell people’s data” – and that ads keep Facebook free. The EFF said Zuckerberg missed the mark by miles; it “wildly misses users’ actual privacy concerns and preferences.” He “ends his op-ed with a call for government regulation codifying the principles of ‘transparency, choice, and control.’ But in reality, Facebook is tirelessly fighting against laws that might do just that.”

The New York Times, one day after Zuck’s op-ed, reported that Zuckerberg intends to unify the tech infrastructure for the three standalone messaging apps: Facebook Messenger, Instagram and WhatsApp – which, combined, have over 2.6 billion users. So much for Zuckerberg’s previous promises for WhatsApp and Instagram’s autonomy. 

Integrating the three apps also raises another round of privacy problems, as WhatsApp users need only a phone number to sign up, whereas Facebook Messenger requires real names. The meshing of the messengers’ guts also raises technical question because of the three, only WhatsApp doesn’t store messages and uses end-to-end encryption by default. Yet former Facebook security chief Alex Stamos said if Facebook Messenger and Instagram were also going to be end-to-end encrypted, it would be “the most impactful uplift of communications privacy in human history.”

I personally detest Facebook and privately refer to it as “the devil.” Some folks think it is a monopoly, while others claim Facebook’s acquisitions of WhatsApp and Instagram “should have triggered antitrust scrutiny.”

Interestingly, as The Verge’s Casey Newton pointed out on The Interface:

If the Federal Trade Commission ever planned to compel Facebook to spin out WhatsApp and Instagram — a big if, I know — you can imagine the company explaining that there was no longer such a thing as “WhatsApp” or “Instagram.” Going forward, those names will refer only to their respective graphical user interfaces. Behind the curtain, there is only Facebook. It’s a characteristically savvy — and ruthless — move from Zuckerberg and his lieutenants.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.